credhub.yml

- type: replace
  path: /releases/-
  value:
    name: credhub
    version: 1.2.0
    url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=1.2.0
    sha1: b28b53dc55c1f1c8ef37edddc9ecad76e16f7d77

- type: replace
  path: /instance_groups/name=bosh/jobs/-
  value:
    name: credhub
    release: credhub
    properties:
      credhub:
        authentication:
          uaa:
            url: "https://((internal_ip)):8443"
            ca_certs:
            - ((uaa_ssl.ca)) 
            verification_key: ((uaa_jwt_signing_key.public_key))
        data_storage:
          type: postgres
          host: 127.0.0.1
          port: 5432
          username: postgres
          password: ((postgres_password))
          database: credhub
          require_tls: false
        tls: ((credhub_tls))
        encryption:
          providers:
          - name: internal
            type: internal
          keys:
          - provider_name: internal
            encryption_password: ((credhub_encryption_password))
            active: true

- type: replace
  path: /instance_groups/name=bosh/properties/postgres/additional_databases?/-
  value: credhub

# Configure Director
- type: replace
  path: /instance_groups/name=bosh/properties/director/config_server?
  value:
    enabled: true
    url: "https://((internal_ip)):8844/api/"
    ca_cert: ((credhub_tls.ca))
    uaa:
      url: "https://((internal_ip)):8443"
      ca_cert: ((uaa_ssl.ca))
      client_id: director_to_credhub
      client_secret: ((uaa_clients_director_to_credhub))

# Configure UAA
- type: replace
  path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/clients/director_to_credhub?
  value:
    override: true
    authorized-grant-types: client_credentials
    scope: ""
    authorities: credhub.read,credhub.write
    access-token-validity: 3600
    secret: ((uaa_clients_director_to_credhub))

- type: replace
  path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/clients/credhub_cli?
  value:
    override: true
    authorized-grant-types: password,refresh_token
    scope: credhub.read,credhub.write
    authorities: ""
    access-token-validity: 60
    refresh-token-validity: 1800
    secret: ""

- type: replace
  path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/scim/users?/-
  value:
    name: credhub-cli
    password: ((credhub_cli_password))
    groups:
    - credhub.read
    - credhub.write

- type: replace
  path: /instance_groups/name=bosh/jobs/name=uaa/properties/uaa/jwt/revocable?
  value: true

# Variables
- type: replace
  path: /variables/-
  value:
    name: credhub_ca
    type: certificate
    options:
      is_ca: true
      common_name: "CredHub CA"

- type: replace
  path: /variables/-
  value:
    name: credhub_tls
    type: certificate
    options:
      ca: credhub_ca
      common_name: ((internal_ip))
      alternative_names: [((internal_ip))]

- type: replace
  path: /variables/-
  value:
    name: credhub_encryption_password
    type: password

- type: replace
  path: /variables/-
  value:
    name: uaa_clients_director_to_credhub
    type: password

- type: replace
  path: /variables/-
  value:
    name: credhub_cli_password
    type: password